http://www.secnetops.com/research
Strategic Reconnaissance Team research[at]secnetops[.]com
Team Lead Contact kf[at]secnetops[.]com
Spam Contact `rm -rf /`@snosoft.com
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
To learn more about our company, products and services or to request a
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or
call us at: 978-263-3829
Quick Summary:
************************************************************************
Advisory Number : SRT2004-01-09-1022
Product : Symantec LiveUpdate
Version : 1.70.x through 1.90.x
Vendor : http://symantec.com/techsupp/files/lu/lu.html
Class : Local
Criticality : High (to users of the below listed products)
Products Affected : Symantec LiveUpdate 1.70.x through 1.90.x
: Norton SystemWorks 2001-2004
: Norton AntiVirus (and Pro) 2001-2004
: Norton Internet Security (and Pro) 2001-2004
: Symantec AntiVirus for Handhelds v3.0
Operating System(s) : Win32
Notice
************************************************************************
The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section.
Basic Explanation
************************************************************************
High Level Description : LiveUpdate allows local users to become SYSTEM
What to do : run LiveUpdate and apply latest patches.
Basic Technical Details
************************************************************************
Proof Of Concept Status : SNO has proof of concept.
Low Level Description : Symantec, the world leader in Internet security
technology, provides a broad range of content and network security
software and appliance solutions to individuals, enterprises and service
providers. The company is a leading provider of client, gateway and server
security solutions for virus protection, firewall and virtual private
network, vulnerability management, intrusion detection, Internet content
and email filtering, and remote management technologies and security
services to enterprises and service providers around the world. Symantec's
Norton brand of consumer security products is a leader in worldwide retail
sales and industry awards. Headquartered in Cupertino, Calif., Symantec
has worldwide operations in 36 countries.
Symantec's Norton Internet Security 2004 provides essential protection
from viruses, hackers, and privacy threats. During an audit of NIS2004
we uncovered a local privilege escalation issue in LiveUpdate. The issue
can allow a local user to gain SYSTEM privileges on NT based Windows
machines (this includes 2k3, 2k, and XP). ONLY "consumer/retail products"
are prone to this particular attack. Symantec Enterprise products do not
support the Automatic LiveUpdate functionality so they are not vulnerable.
The final thing to keep in mind that this vulnerability can be highly
dependent on the system configuration and environment.
While logged in as an underprivileged user a small sliding popup window may
appear from the Windows task bar saying "there are Live Updates available,
click here to run LiveUpdate". If you click to run LiveUpdate you should
notice that LUALL.exe and LUCOMS~1.exe are now running as the user SYSTEM.
Click the help button and you will now have a "LiveUpdate Help" window, click
File and then Open. Browse to c:\windows\system32 and right click on cmd.exe,
click open and you now have a cmd prompt running as SYSTEM.
Normally when a user starts Live Update it runs as the user you loged in as.
In order for this to be exploitable Symantec Automatic LiveUpdate must be
enabled.
Please see http://www.secnetops.biz/images/SRT2004-01-09-1022.jpg for an
example of exploitation.
Vendor Status : Symantec promptly attended to the issue and
was very responsive during all phases of discovery / research and patching.
Fixes are now available via LiveUpdate.
Bugtraq URL : To be assigned. CVE candidate CAN-2003-0994.
Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract.. Contact our sales
department at sales[at]secnetops[.]com for further information on how to
obtain proof of concept code.
----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."
--
╔═╗╔╗╔═══╗╔══╮╗╔═══╗╭═╗╔╮
║ ║║║║ ║║ ║║║ ║║ ║║║
║ ╚╯╝║ ═╣║ ║║║ ═╣╰ ╰╯╯
║ ╔╮╗║ ═╣║ ║ ║║ ═╣╭ ╭╮╮
╚═╝╚╝╚═══╝╚═╰═╝╚═══╝╰═╝╚╯
--
※ Origin: 天外魔境 ◆ From: plum.cs.nccu.edu.tw
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 140.112.17.94
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 140.112.17.94
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 140.112.236.5
※ 編輯: wangan 來自: 140.112.236.5 (05/03 01:22)
※ 編輯: wangan 來自: 140.112.236.5 (05/03 01:22)
> -------------------------------------------------------------------------- <
作者: wangan (妙麗伺服器站長^^) 看板: AntiVirus
標題: Re: Norton Live-Update 被裝木馬
時間: Mon May 3 01:33:05 2004
※ 引述《jckk (can u hear me!?)》之銘言:
: 謝謝這位版友的提供
: 不過我灌了這個程式之後
: 開啟norton 還是無法autoprotect耶?
: 用趨勢上線掃毒 並沒掃到任何東西?
: 麻請解救一下!謝謝!
我上次也遇到同樣的問題 就是NORTON掃描關閉 郵件關閉
不過我解決方法很簡單 就是重灌NORTON2004 and 馬上LiveUpdate
現在NORTON很正常 :)~
wagnan: 這應該是導致某些人諾頓強制關閉掃描的原因,已經被安裝木馬嚕@@???
作者 Number5 (西瓜不會思考) 看板 Newstand
標題 Symantec 正式承認NAV2003被木馬攻陷
時間 Tue Jan 27 20:14:43 2004
著名防毒軟體公司諾頓(Norton)向媒體正式承認其Norton AntiVirus2003
的LiveUpdate功能出現漏洞,被木馬被感染後會在未經授權下被別人取得
Administrator的許可權,而發作日期為2004年1月7日,故此當人們Live
Update時,竟把木馬一同安裝了。
諾頓聲稱只會影響XP/2000/2003/2004版本,而當中了這個木馬後會令右鍵功能
變得緩慢,Office軟體變得緩慢及描毒功能失效。發現這個問題的公司Secure
Networrk Operations早於上週二找到此問題,現在諾頓已經提供了一個4MB
的更新程式。
ftp://ftp.symantec.com/public/english_us_canada/liveupdate/lusetup.exe
以下全有可能中
Affected Components
Symantec Windows LiveUpdate 1.70.x through 1.90.x
Symantec Norton SystemWorks 2001-2004
Symantec Norton AntiVirus and Norton AntiVirus Pro 2001-2004
Symantec Norton Internet Security and Norton Internet Security Pro 2001-2004
Symantec AntiVirus for Handhelds Retail and Corporate Edition v3.0
--
原文如下
Secure Network Operations, Inc.